SSO between multiple applications (web and silverlight) across multiple domain
Here's my situation,
i've got a couple applications: - web site using .net cms running externally on a webhost without an active directory domain (authentication based on forms authentication with the cms database) - several silverlight applications running internally in the customers network and domain (authentication through active directory, mapped to a user table in a database, application currently not published externally)
Let's say i want all these apps to be able to authenticate users not to their own databases, but a centrallized db. (not all the apps run in a different network, mapping to l开发者_开发百科ocal user accounts is acceptable since the application may store user roles etc.) On the user i want to store to which customer it belongs to, if it has rights to use the app and more personal information
note this also has to work for windows forms / wcf applications in the future so cookies is not an option.
What would be the best way to do this?
I've thought about setting up a published soap service with a database which stores all the info, and then for each application write some logic to authenticate using this webservice. I'm not to keen however to publish all this information through webservices anyone can access. If i secure this webservice with basic authentication on a domain, the credentials are send over in clean test, this is not an option when it comes to private user information.
Does anyone have an idea how to tackle this?
You could use a web sso based on federation protocols, like SAML or WS-Federation.
In your case, the most obvious solution would be based on Active Directory Federation Services
You set up a central authentication server based on ADFS, and deploy an ADFS agent on each of your web servers.
When a user try to acces one of the application, he will be redirected to the central authentication server. This server will be in charge of authenticating him, maybe do some access control verification and send back a security token to your application.
All this cinematic doesn't rely on cookies, but data exchanged through the browser of the user via POST/GET methods.
Another point to be noted is that it is well integrated with the Windows Identity Foundation (WIF) framework and therefore there shouldn't be a problem with Windows Forms/WCF applications.
精彩评论